window.close() should work from a sandboxed iframe if iframe is opener

third_party/WebKit/Source/core/frame/Frame.cpp

Index: third_party/WebKit/Source/core/frame/Frame.cpp
diff --git a/third_party/WebKit/Source/core/frame/Frame.cpp b/third_party/WebKit/Source/core/frame/Frame.cpp
index 88324f2fd5432f60b555a08f2b7c0255430d0e76..d66ec64f38a8016ecd2c3064820618a28947371e 100644
--- a/third_party/WebKit/Source/core/frame/Frame.cpp
+++ b/third_party/WebKit/Source/core/frame/Frame.cpp
@@ -207,35 +207,44 @@ bool Frame::canNavigate(const Frame& targetFrame) {
 
 bool Frame::canNavigateWithoutFramebusting(const Frame& targetFrame,
                                            String& reason) {
-  if (securityContext()->isSandboxed(SandboxNavigation)) {
-    // Sandboxed frames can navigate their own children.
-    if (targetFrame.tree().isDescendantOf(this))
-      return true;
-
-    // They can also navigate popups, if the 'allow-sandbox-escape-via-popup'
-    // flag is specified.
-    if (targetFrame == targetFrame.tree().top() &&
-        targetFrame.tree().top() != tree().top() &&
-        !securityContext()->isSandboxed(
-            SandboxPropagatesToAuxiliaryBrowsingContexts))
-      return true;
-
-    // Top navigation can be opted-in.
-    if (!securityContext()->isSandboxed(SandboxTopNavigation) &&
-        targetFrame == tree().top())
-      return true;
+  if (&targetFrame == this)
+    return true;
 
-    // Otherwise, block the navigation.
-    if (securityContext()->isSandboxed(SandboxTopNavigation) &&
-        targetFrame == tree().top())
-      reason =
-          "The frame attempting navigation of the top-level window is "
-          "sandboxed, but the 'allow-top-navigation' flag is not set.";
-    else
+  if (securityContext()->isSandboxed(SandboxNavigation)) {
+    if (!targetFrame.tree().isDescendantOf(this) &&
+        !targetFrame.isMainFrame()) {
       reason =
           "The frame attempting navigation is sandboxed, and is therefore "
           "disallowed from navigating its ancestors.";
-    return false;
+      return false;
+    }
+
+    // Sandboxed frames can also navigate popups, if the
+    // 'allow-sandbox-escape-via-popup' flag is specified, or if
+    // 'allow-popups' flag is specified, or if the
+    if (targetFrame.isMainFrame() && targetFrame != tree().top() &&
+        securityContext()->isSandboxed(
+            SandboxPropagatesToAuxiliaryBrowsingContexts) &&
+        (securityContext()->isSandboxed(SandboxPopups) ||
+         targetFrame.client()->opener() != this)) {
+      reason =
+          "The frame attempting navigation is sandboxed and is trying "
+          "to navigate a popup, but is not the popup's opener and is not "
+          "set to propagate sandboxing to popups.";
+      return false;
+    }
+
+    // Top navigation is forbidden unless opted-in. allow-top-navigation
+    // will also skips origin checks.
+    if (targetFrame == tree().top()) {
+      if (securityContext()->isSandboxed(SandboxTopNavigation)) {
+        reason =
+            "The frame attempting navigation of the top-level window is "
+            "sandboxed, but the 'allow-top-navigation' flag is not set.";
+        return false;
+      }
+      return true;
+    }
   }
 
   ASSERT(securityContext()->getSecurityOrigin());